« ALTA Sets Record Membership | Main | Solidifi: More Borrowers Reviewing Documents Online Prior to Closing »


Ransomware Incidents Skyrocket in 2021, FinCEN Reports

Fincen ransomware
Total Amount from Ransomware-Related BSA Filings and Incidents, 2011 to 2021

Ransomware continues to pose a significant threat to U.S. critical infrastructure sectors, businesses and the public, according to a report released by the Financial Crimes Enforcement Network (FinCEN).

The report provides analysis of ransomware-related Bank Secrecy Act (BSA) filings for 2021, but focused on trends during the second half of the year. It addresses the extent to which a substantial number of ransomware attacks appear to be connected to actors in Russia.

According to the analysis, FinCEN received 1,489 ransomware-related filings worth nearly $1.2 billion in 2021. This represents a 188% increase compared to the total of $416 million in 2020. FinCEN said this potentially reflects an increase in ransomware incidents or improved reporting and detection.

FinCEN Acting Director Himamauli Das said the analysis is a reminder that ransomware—including attacks perpetrated by Russian-linked actors— remain a serious threat to national and economic security. He said this highlights the importance of BSA filings, which allow FinCEN to uncover trends and patterns in support of whole-of-government efforts to prevent and combat ransomware attacks.

“Financial institutions play a critical role in helping to protect the United States from ransomware-related threats simply by fulfilling their BSA compliance obligations,” Das added.

Specific to the title industry, a recent ALTA survey showed that cyber attacks targeting title and settlement companies remained the same or increased over the past year.

What is Ransomware?

  • Ransomware is malicious software that encrypts a victim’s files and holds the data hostage until a ransom is paid, most often in Bitcoin. In the last two years, FinCEN reported that ransomware actors have shifted from a high-volume opportunistic approach to a more selective methodology in choosing victims, targeting larger enterprises, and demanding bigger payouts to maximize their return on investment.
  • Some ransomware actors have diversified their revenue streams using a ransomware-as-a-service (RaaS) business model in which ransomware creators sell user-friendly ransomware kits on the dark web or outsource ransomware distribution to affiliates in exchange for a percentage of the ransom. Additionally, since at least late 2019, ransomware groups have adopted new extortion tactics to maximize revenue and create an additional incentive for victims to pay. In one such tactic, known as “double extortion,” ransomware operators exfiltrate massive amounts of a victim’s data encrypting it and then threaten to publish the stolen data if ransom demands are not met.

Detection and Mitigation Recommendations

  • Incorporate indicators of compromise (IOCs) from threat data sources into intrusion detection systems and security alert systems to enable active blocking or reporting of suspected malicious activity.
  • Contact law enforcement immediately regarding any identified activity related to ransomware, and contact OFAC if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.
  • Promptly report suspicious activity to FinCEN, highlighting the presence of “Cyber Event Indicators.” IOCs, such as suspicious email addresses, file names, hashes, domains, and IP addresses, can be provided in the SAR form. Information regarding ransomware variants, requested methods of payment, or other information may also be useful to law enforcement and for trend analysis in addition to virtual currency addresses and transaction hashes associated with ransomware payments.
  • Review financial red flag indicators of ransomware in the “Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments” issued by FinCEN in November 2021.

Report Suspicious Cyber Activity

  • To report a ransomware incident, contact CISA at [email protected], 888282-0870 or www.cisa.gov/stopransomware
  • Contact your local FBI or U.S. Secret Service field office or the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.
  • Contact OFAC at [email protected] if there is any reason to suspect the cyber actor demanding ransomware payment may be sanctioned or otherwise have a sanctions nexus.

Develop a Cybersecurity Risk Management Plan

  • Title and settlement companies report that the volume of cyber attacks have either increased or remained the same last year when compared to 2020. Because of this, you and your staff need the skills and tools to respond to an ever-changing cyber landscape. Register an upcoming free ALTA Insights webinar, sponsored by the FNF Family of Companies, to learn what considerations you may want to put into place for your company’s cyber safety and risk management in 2023. Register for Webinar


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment